In one of the most infamous data breaches of the decade, Equifax, one of the nations largest credit reporting companies, discovered unauthorized access to personal information and credit information of over 148 million US consumers. This week, I had the chance to sit down and listen to a podcast that interviewed Graeme Payne, the CIO of Equifax in 2017 during the time of the data breach. The podcast is called “Hacked Off” and is well worth 45 minutes of your time. In this blog, we are going to discuss the key lessons learned that I took from Graeme’s interview from the 2017 Equifax data breach.
The initial access for the attackers in the Equifax data breach was through an Apache Struts remote code execution vulnerability (CVE-2017-5638). This vulnerability was disclosed and a patch was released on March 17, 2017. Equifax’s investigation revealed that one of their servers did not get this patch, and was subsequently exploited in mid-May 2017. That is only two months from the time the vulnerability was disclosed. This demonstrates how critical it is to have a good patching process in place. Critical security patches need to be applied immediately, and you need to have some insight into the patching levels across all of your systems. PCI requires critical patches to be applied within 30 days, but you should target a much quicker deployment time.
Testing Your Incident Response Plan
One of the most interesting things that Graeme discusses is how difficult it was to go through their established incident response procedures. In the podcast, he discusses a situation in which they needed to give the forensic specialists access to the network in order to do their investigation, but how their internal procedures for granting access to the network were not designed to be quick. To protect themselves, all vendors who need access to the network have to go through an approval process which is thorough and intentionally slow. However, in this situation, they needed access immediately. At that point, Graeme was in between a rock and a hard place. On one hand, he could follow the procedures, which would slow down the investigation, possibly lose some critical evidence, and hurt Equifax’s reputation even more. However, on the other hand, it’s probably not a good time to break internal safeguards and procedures directly after a data breach. Following the breach, attackers were targeting Equifax at never-before-seen levels, and the one thing you don’t want to do is start bypassing security safeguards you have in place to protect your network, potentially introducing additional points of compromise.
Another challenge Graeme details in the interview is setting up a call center. Once Equifax disclosed the breach, they needed a public website and a call center to field inquiries from consumers, reporters, and investigators. Because of this, they had to quickly hire hundreds of call center employees to work the phones. Their on-boarding process was not designed to handle such an influx of employees, and getting people hired and trained quickly was a significant challenge for them.
Both of these examples highlight the importance of running through your incident response plan before you need it in a time of crisis. By walking through example scenarios, you can uncover some of these obstacles you will face and come up with solutions that can help in your time of need. These walkthroughs should be based off of a formal risk assessment. What are the threats you are most likely to face? Is it an external attacker gaining access, an insider threat, ransomware, distributed denial of service, etc? Take time to run through each of the scenarios you may face and make sure you get all the key players in the room to walk through them. Gather the lessons learned from these exercises and incorporate them into the incident response plan. This way, when crisis hits, you know how to respond, and you can hopefully speed up the process. Oftentimes, organizations find it helpful to have a third-party who knows how to think like an attacker and that has been a part of incident response processes before help run these scenarios. This is definitely something we can help with so feel free to reach out if you have any questions.
One of Graeme’s key lessons learned from the Equifax data breach, and something he has started his own company to try to address, is the importance of having the board involved prior to a data breach. As is the case in almost every organization we work with, the board may be aware of the security program and some of the efforts, but they are rarely involved in any type of incident response table-top exercises that are conducted. As a result, they are woefully unprepared for the decisions they will have to make in a crisis situation which can have a profound impact on whether the organization can weather the storm or will have to close its doors. It is vital to have the board members take place in a worst-case scenario so they have the knowledge and experience they need to respond to an incident, manage public relations, and keep the business running.